Essential Integration Approaches

An Organisation that integrates SWITCH edu-ID needs to make sure that each member (student, staff, further education student) has an edu-ID identity that it is linked to their local, organisational identity. A linked edu-ID account has at least one organizational affiliation associated to it. It must be possible for edu-ID to at least daily check that an identity at an organisation still exists or the organisation itself has to notify edu-ID about changes for an identity.

edu-ID supports a large variety of methods to link accounts and interfaces to manage affiliations and synchronize attributes which can be combined in many different ways. Here are the two most common combinations of linking and syncing: eMail-based linking with pulling affiliations and Organizational linking with pushing affiliations.

 

eMail-based linking and Affiliation Pull

  • edu-ID operates eMail-based linking as part of my edu-ID account management (https://eduid.ch).
  • After a user has added an eMail address, the linking process is started by pulling an affiliation.
  • The attribute aggregator has read-only access to the organizational directory.
  • The attribute aggregator searches the organizational directory for a matching user entry that contains the uers's email address.
  • If a valid user was found, an affiliation is created.
  • Subsequently, in daily update rounds, affiliations are compared with the directory, and updated or removed as needed.

linking-mail-pull

Advantages of this approach

  • The connector between the university directory and edu-ID (the Attibute Provider) can either be operated by the university or SWITCH
  • If SWITCH operates the Attribute Provider (as shown in the diagram above), the organization only has to provide read-only access to the directory. No additional software has to be developed or operated by the university.
  • Simple to set-up for university.
  • Simple to use for users.

During the linking process, the edu-ID service has to determine which organizational directory to query. This is either done by checking the mail-domain of the email address, or the user selects the organization to which a link is to be established. Therefore, eMail-based linking comes in two variants: linking with an organizational eMail address or with a private email address.

Linking with organizational eMail address

This method is for organizations, who issue email addresses within their domain to all of their members. Switch registers a list of mail-domains that are used to determine the organization witch which a link is to be established.

Prerequisite: Organization membership of a person is determined by the domain of the eMail address. All organization members need to have an organizational eMail. The eMail-based linking method supports multiple eMail domains, but the number should not exceed 10 eMail domains for one organization.

Linking with personal eMail address

This method is for organizations who don't issue organizational eMail adresses to all of their members. Since the mail-domain can't be used to determine the organizational directory to query, the user is first asked with which organization a link is to be established.

 

Organizational linking and Affiliation Push

  • The organization develops and operates an Organizational Linking Service.
  • The purpose of the linking service is to make sure that a member has an edu-ID account, and that the edu-ID identifier is known to the identity management system (IdM).
  • After a user has completed the linking process, the edu-ID identifier is transferred to the IdM.
  • The IdM has rules in place to decide if and when an affiliation should be added to a member's edu-ID account.
  • The IdM has a connector to create, update and delete affiliations via the edu-ID affiliation API.

linking-org-push

Advantages of this approach

  • All affiliation updates by the IdM are immediately effective.
  • The approach supports student registration processes with edu-ID.
  • Gives an organization with IdM most control over affiliations.